LDAP interface troubleshooting
Before you contact Support, use this troubleshooting information to identify the cause of the error you experienced.
If an LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services. request takes more than two minutes to evaluate, the LDAP Interface stops evaluating and returns error code 3 (time limit exceeded).
If you receive an error similar to the following, all it tells you is that there was a handshake failure.
If you use the -Djavax.net.debug=ssl option and rerun your code, you'll see:
Connection reader for connection 0 to <org>.ldap.okta.com:636, READ: TLSv1.2 Alert, length = 2 Connection reader for connection 0 to <org>.ldap.okta.com:636, RECV TLSv1.2 ALERT: fatal, handshake_failure Connection reader for connection 0 to <org>.example.okta.com:636, called closeSocket() Connection reader for connection 0 to <org>.example.okta.com:636, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
The above message shows that the clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. sent a TLSv1.1 packet and the server responded with TLSv1.2 and it rejected the request.
For C-based clients, you can use SSLTap or openSSL. For example, the following failure shows SSL handshake failure due to SSLv3.
The following is an example that shows that SSL handshake is rejected due to unsupported cipher.